Admission Controllers

KubeVirt API Validation

The KubeVirt VirtualMachineInstance API is implemented using a Kubernetes Custom
Resource Definition (CRD). Because of this, KubeVirt is able to leverage a
couple of features Kubernetes provides in order to perform validation checks on
our API as objects created and updated on the cluster.

How API Validation Works

CRD OpenAPIv3 Schema

The KubeVirt API is registered with Kubernetes at install time through a series
of CRD definitions. KubeVirt includes an OpenAPIv3 schema in these definitions
which indicates to the Kubernetes Apiserver some very basic information about
our API, such as what fields are required and what type of data is expected for
each value.

This OpenAPIv3 schema validation is installed automatically and requires no
thought on the users part to enable.

Admission Control Webhooks

The OpenAPIv3 schema validation is limited. It only validates the general
structure of a KubeVirt object looks correct. It does not however verify that
the contents of that object make sense.

With OpenAPIv3 validation alone, users can easily make simple mistakes (like
not referencing a volumeName correctly with a disk) and the cluster will still
accept the object. However, the VirtualMachineInstance will of course not start if
these errors in the API exist. Ideally we’d like to catch configuration issues
as early as possible and not allow an object to even be posted to the cluster
if we can detect there’s a problem with the object’s Spec.

In order to perform this advanced validation, KubeVirt implements its own
admission controller which is registered with kubernetes as an admission
controller webhook. This webhook is registered with Kubernetes at install time.
As KubeVirt objects are posted to the cluster, the Kubernetes API server
forwards Creation requests to our webhook for validation before persisting the
object into storage.

Note however that the KubeVirt admission controller requires features to be
enabled on the cluster in order to be enabled.

Enabling KubeVirt Admission Controller on Kubernetes

When provisioning a new Kubernetes cluster, ensure that both the
MutatingAdmissionWebhook and ValidatingAdmissionWebhook values are
present in the Apiserver’s –admission-control cli argument.

Below is an example of the –admission-control values we use during
development